Wednesday, December 17, 2014

Why You Should Demand Proof Before Believing The U.S. Government On North Korea and Sony

Yesterday evening the New York Times reported that un-named American intelligence officials have concluded that the North Korean government was "centrally involved" in the massive breach against Sony (NYSE: SNE), and that the White House hasn't yet decided how it will respond.

Such a claim, if true, requires that two things should be done immediately:
  1. The identities of the intelligence officials need to be revealed, or at least the agency that they work for.
  2. Point to the proof that supports that finding.
Chances are better than 50/50 that the agency is DHS; the agency which since its inception has redefined the word incompetent.
Over the past four years, employees have left DHS at a rate nearly twice as fast as in the federal government overall, and the trend is accelerating, according to a review of a federal database. 
A parade of high-level departures, on top of other factors, has meanwhile helped slow the rollout of key cybersecurity initiatives, including a program aimed at blocking malicious software before it can infiltrate civilian government computers, former officials say.
The Inspector General's DHS report that came out last month was highly critical as well.

But even if the NY Times source wasn't DHS, the IC is rarely unified when it comes to intelligence analysis; especially cyber intelligence.The NASDAQ investigation as reported by Bloomberg is a great example.
In early January, the NSA presented its conclusions to top national security officials: Elite Russian hackers had breached the stock exchange and inserted a digital bomb. The best case was that the hackers had packed their malware with a destruction module in case they were detected and needed to create havoc in Nasdaq computer banks to throw off their pursuers. The worst case was that creating havoc was their intention. President Obama was briefed on the findings. 
Later in the investigation, some U.S. officials questioned whether the NSA had pushed the evidence too far. Malware often changes hands—it’s sold, stolen, or shared. And the technical differences between attack code and something less destructive can be surprisingly small. At the time, NSA Director Keith Alexander and his agency were locked in a fight with government branches over how much power the NSA should have to protect private companies from this new form of aggression. Such a brazen attack would certainly bolster its case.
Cyber Intelligence Can Be Contradictory and Unreliable
Federal agencies' demand for cyber threat intelligence is voracious and they pay well. That demand is frequently met by companies like Mandiant, now part of FireEye - the company handling Sony's incident response. The problem is that these companies have no oversight and no standardized vetting of sources.

A recent Carnegie Mellon report on cyber intelligence tradecraft reported:
"Overall, the key findings indicate that organizations use a diverse array of approaches to perform cyber intelligence. They do not adhere to any universal standard for establishing and running a cyber intelligence program, gathering data, or training analysts to interpret the data and communicate findings and performance measures to leadership."
It isn't hard to find examples.

SHAMOON
Cylance's last report "Operation Cleaver" claimed that Iran is a sophisticated cyber adversary and pointed to Shamoon as proof. However, technical reporting by both Kaspersky Lab and Crysys Lab noted that Shamoon's author was incompetent; that due to "silly errors" the malware was only 50% effective. If you want to make the case that Iran is a sophisticated cyber warfare actor, you shouldn't point to poorly written malware as an example.

THE XCAR FORUM
Crowdstrike's "Putter Panda" report made the claim that posts in a Chinese XCar forum were secretly coded messages used to convey information about hacking jobs when it was really just an online forum about cars. This mistake happened because Crowdstrike's researchers used Google Translate instead of native Chinese linguists. When researchers see hidden Chinese hacker messages where none exist, it makes it difficult to accept their analysis of North Korean language peculiarities.

DARK SEOUL
According to Sophos, Dark Seoul malware is not particularly sophisticated and easy to detect. Symantec referred to Dark Seoul not as malware but as a hacker group responsible for four years of attacks against South Korean websites including the DDoS attack against some U.S. government websites over Independence Day weekend in July 2009.
McAfee referred to Dark Seoul as an operational name but then changed it to Operation Troy, extended the attack to a four year campaign and, unlike Symantec, added the claim of espionage as the campaign's purpose.

Names Are Collections Of Technical Indicators, Not People
Names given to hacker groups by cyber intelligence companies don't refer to actual people (with a few notable exceptions). Instead they refer to technical indicators or TTPs (tools, techniques and procedures) that attacks have in common. There's no way to tell who belongs to any group, or if you can identify one member of a group from a certain year, where that member is today. Further, different companies assign different names to the same groups which is why you end up with names like Comment Crew, APT1, Soy Sauce, GIF89a, Shanghai Group, and Comment Panda on the unclassified side, and "Bravo Charlie" on the classified side.

This feeding of commercial cyber intelligence which hasn't been subjected to any critical scrutiny or source validation to intelligence agencies where it gets a new code name and classification is a disaster waiting to happen.

Challenge Everything
Is North Korea responsible for the Sony breach? I can't imagine a more unlikely scenario than that one, and for many of the same reasons that Kim Zetter detailed in her excellent article for Wired.

My advice to journalists, business executives, policymakers, and the general public is to challenge everything that you hear or read about the attribution of cyber attacks. Demand to see the evidence, not scrubbed "indicators of compromise" that can't be validated. Be aware that the FBI, Secret Service, NSA, CIA, and DHS rarely agree with each other, that commercial cyber security companies are in the business of competing with each other, and that "cyber intelligence" is frequently the world's biggest oxymoron.

RELATED

"Responsible Attribution: A Prerequisite for Accountability" by Jeffrey Carr - NATO Cooperative Cyber Defense Centre of Excellence  Tallinn, Estonia. 

Friday, December 5, 2014

"Measure Twice. Bite Once" - Suits and Spooks DC 2015 Supports The Warrior Dog Foundation

You have 5 days left before the Early Bird rate for Suits and Spooks DC/Pentagon City ends on December 10th. For the first time, we'll be holding this event at the Ritz Carlton Pentagon City and we're going to honor the work of the Warrior Dog Foundation by hosting a dinner for them on February 4th.



Normally the tickets for the dinner are sold separately from the Suits and Spooks registration but between now and December 10th, if you register for Suits and Spooks DC/Pentagon City, we'll buy you your ticket to the dinner.

Everyone who registers for Suits and Spooks, whether you register for the dinner or not, will receive an awesome t-shirt which shows a modified Suits and Spooks playing card logo that has been integrated with the Warrior Dog Foundation "paws" and ribbon and the tag line:

MEASURE TWICE BITE ONCE


Visit the brand new Suits and Spooks website to learn more, and register before December 10th to take advantage of this great offer.

Wednesday, December 3, 2014

The One Statement That Changes Everything For A Corporation That's Been Breached

Imagine that you're a publicly-owned company that has just been hacked in a BIG way. You're now in damage control mode. You've made a preliminary announcement. You've hired a high profile and very expensive Incident Response company. That's all SOP. After a reasonable amount of time goes by there is one statement that you can make which will change the game entirely. Guess which one it is:

THE INSIDER STATEMENT: A former ACME Corporation employee named Wiley E. Coyote stole the company's plans for a Jet-Propelled Unicycle by tricking a security guard into thinking it was just a big lunch box.

THE HACKTIVIST STATEMENT: The ACME Corporation's network has been breached by a fast-running ground cuckoo called RoadRunner.

THE NATION STATE STATEMENT: The ACME Corporation is the victim of a highly sophisticated cyber attack by an elite State-sponsored group of hackers.

If you guessed The Nation State Statement, you're right. Here's why.

Companies that get pwned by hacktivists like Anonymous or LulzSec look like they're incompetent because hacktivists launch low-level attacks against low-hanging fruit that shouldn't be there in the first place. Plus, hacktivists frequently get caught and then flip on their compadres. Bottom line, your multi-billion dollar multinational corporation has just been breached by some low-rent kid with no balls and your CEO looks like a jerk.

If, on the other hand, your company was breached by an insider, it opens a huge can of worms for your General Counsel because you hired the guy and malicious insiders always, ALWAYS, give early warning signs before they rip you off, which you clearly missed. With the hacktivist, you may look like a jerk but at least you can blame someone else. If you're the victim of an insider, heads are going to roll.

But imagine if you could point the finger at foreign government; especially one that everyone hated like Iran or North Korea. For many years, China was the go-to culprit but now it's more impressive to be hacked by Russia or the DPRK. If you can blame a nation state by calling the actors "state-sponsored", then you cannot be held responsible. You'd be the victim of a military organization or an intelligence service with vast funding and sophisticated capabilities that could overcome any corporate network. Plus, everybody wins! By blaming North Korea for example you have instantly created a news story which focuses attention on that idiot in Pyongyang instead of your CEO. You've have helped the White House and Congress further their DPRK policies. Your Incident Response company's CEO is now in love with you because you've guaranteed him international headlines which might result in a lucrative acquisition down the road.

Blaming a nation state for your company's attack is WIN - WIN - WIN.

There is one caveat, however.

Because it is so wonderful to be able to claim to be the victim of hackers employed by a foreign government, you have to be careful that the evidence supports your claim. If it looks like an inside job and you claim nation-state, it might have the opposite effect. Then your "win" will vanish faster than a RoadRunner's "beep beep".

Monday, December 1, 2014

The Latest Sony Breach And Its Potential SEC Problems

Sony's (NYSE: SNE) latest network breach is also potentially one of its worst when it comes to financial impact on the company. The attackers (Guardians of Peace) stole five movies including Brad Pitt's "Fury" and released them online. "Fury" alone has had over 1.2 million downloads in the last three days according to Variety, which makes it the second most downloaded movie currently being pirated. The other movies stolen by hackers include "Annie", "Mr. Turner", "Still Alice", and "To Write Love on Her Arms".  The hackers also stole multiple terabytes of internal company financial and personal data which they released today on Pastebin. Depending upon what was stolen, this could make Sony liable for millions of dollars in penalties if includes controlled PII data.

The company's PlayStation unit had been repeatedly and successfully breached by attackers in 2011 which cost it an estimated $171 million and "affect revenues for its fiscal 2011 year" according to its IR group (investor relations). Page 8 of its 2011 Annual Report dedicated one paragraph to that event, 90% of which spoke about how "sophisticated" the hackers were (they actually weren't sophisticated at all) and how they have reinforced their security, blah blah.

The current attack against Sony Entertainment Pictures has potentially done more damage and may involve one or more insiders. Sony has engaged an IR firm to investigate the attack and is cooperating with the FBI, which is pretty standard procedure.

I looked at Sony's annual reports since 2011 and the language used in describing its cyber risk factors remains pretty much the same as this quote from its 2014 20F filing:
"Moreover, as network and information systems have become increasingly important to Sony’s operating activities, the impact that network and information system shutdowns may have on Sony’s operating activities has increased. Shutdowns may be caused by events similar to those described above or other unforeseen events, such as software or hardware defects or cyber-attacks by groups or individuals." 
"Similar events in the future may result in the disruption of Sony’s major business operations, delays in production, shipments and recognition of sales, and large expenditures necessary to enhance, repair or replace such facilities and network and information systems. Furthermore, Sony may not be able to obtain sufficient insurance in the future to cover the resulting expenditures and losses, and insurance premiums may increase. These situations may have an adverse impact on Sony’s operating results and financial condition."
"Sony makes extensive use of information technology, online services and centralized data processing, including through third-party service providers. The secure maintenance and transmission of customer information is a critical element of Sony’s operations. Sony’s information technology and other systems that maintain and transmit such information, or those of service providers or business partners, and the security of such information possessed by Sony or its business partners may be compromised by a malicious third-party or a man-made or natural event, or impacted by intentional or inadvertent actions or inactions by Sony employees, or those of a third-party service provider or business partner. As a result, customer information may be lost, disclosed, misappropriated, altered or accessed without consent. For example, Sony’s network services, online game business and websites of certain subsidiaries have been subject to cyber-attacks by groups and individuals with a wide range of motives and expertise, resulting, in some instances, in unauthorized access to and the potential or actual theft of customer information."
"In addition, Sony, third-party service providers and other business partners process and maintain proprietary Sony business information and data related to Sony’s business, commercial customers, suppliers and other business partners. Sony’s information technology and other systems that maintain and transmit this information, or those of service providers or business partners, and the security of such information possessed by Sony, third party service providers or other business partners may also be compromised by a malicious third-party or a manmade or natural event, or impacted by intentional or inadvertent actions or inactions by Sony employees, or those of a third-party service provider or business partner. As a result, Sony’s business information and customer, supplier, and other business partner data may be lost, disclosed, misappropriated, altered, or accessed without consent."

This is pretty generic stuff, evidenced by the fact that the language doesn't contain anything specific to Sony that wouldn't apply to every other public company. SEC regulations on risk disclosure require that the language to be non-generic so Sony like all registrants will need to find a way to accurately estimate their risk of a cyber attack without providing actionable intelligence to potential attackers (which I believe is entirely possible).

Sony never filed an 8-K on the 2011 breach and to date they haven't filed one on this breach (8-Ks are to be filed on material corporate events that shareholders should know about). I've left a message for their IR desk to call me back so that I can ask them why that is but so far, no joy.

A Taia Global white paper on the SEC and Cyber Risk Factors was just published last Monday and is available for download at the company website.

Thursday, November 27, 2014

Selective Listening Can Kill Your Business (Thank You Gordon Ramsay)

The problem of selective listening (hearing only what you want to hear while ignoring all else) has killed a lot of businesses, especially restaurants. In fact, I suspect that the problem is pervasive across all industries and government agencies.

On Kitchen Nightmares, I watched restauranteurs who were at the brink of closing argue with Chef Ramsay that the problem wasn't the tasteless, frozen, microwaved crap that they served in their almost empty restaurant. It couldn't be because "everyone loves my food".  "Who's everyone? Your restaurant's empty", Ramsay would say. Then there were owners like Sebastian (Sebastian's Pizza) and David (The Black Pearl) whose egos wouldn't allow them to take advice.

I credit Ramsay's series about failing restaurants for helping me avoid those traps and others while I launched and built the Suits and Spooks security event series. After all, a conference is a lot like a pop-up restaurant except with worse food.

I wanted more than anything to build something that was different and that would deliver value to my customers. Inspired by what I learned from Gordon, I picked interesting and unique venues. I imagined that I was creating a menu when I curated my speakers - selecting ones that would add a unique "flavor profile" to Suits and Spooks attendees.  I made sure that I greeted every attendee personally, and listened to their feedback - both positive and negative.

The result was that Suits and Spooks, launched in September, 2011, was sold to Wired Business Media in April, 2014, just two months before Gordon Ramsay announced that after 12 seasons and 123 episodes, Kitchen Nightmares would wrap for good.

So today, on Thanksgiving, I'd like to say thank you to Gordon Ramsay for producing a show that inspired me to build something that I was passionate about and make it a success.



Monday, November 24, 2014

SEC Risk Factors: How To Determine The Business Value Of Your Data To A Foreign Government

“Consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant. Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure.”
- CF DISCLOSURE GUIDANCE: TOPIC NO. 2 “CYBERSECURITY”
 

EXECUTIVE SUMMARY

The SEC’s Cybersecurity Disclosure Guidance of 2011, President Obama’s Executive Order 13636 on Critical Infrastructure Cybersecurity (2013) and the launch of NIST’s Cybersecurity Framework (2014) has had a major impact on publicly traded companies and financial institutions who are struggling with quantifying their risk analysis in the new domain of cyberspace.

While the SEC has not yet codified its cybersecurity guidance (Corp Fin Disclosure Guidance: Topic No. 2), it has already issued 50 comment letters to public companies that have not adequately complied with the new guidelines. In fact, that appears to be a long-standing complaint of the SEC staff who would “like [registrants] to ... get away from mind-numbing risk factors disclosures to a more targeted discussion.”

Although the SEC’s cybersecurity guidelines aren’t yet regulations, the disclosure of risk factors such as credit and liquidity have been a requirement for many years3 and a mandatory non- generic risk factor analysis of a company’s digital assets cannot be far off. The dilemma that boards and general counsels are facing today is that too much disclosure might hurt the company’s business, while too little disclosure may, at a minimum, result in the company receiving an SEC comment letter.

This white paper will explore where the SEC is headed on this issue and propose a novel solution that’s both specific to the company and avoids the potential danger of revealing too much information about company vulnerabilities - the ability to verifiably assess the value of your intellectual property (IP) to a rival Nation State by establishing its Target Asset Value™.

You can obtain a copy by visiting the Taia Global website.

Thursday, November 13, 2014

Who Developed China's Laser Weapon and Other Things That Go Boom?

China has spent the last few days showcasing its latest military technology including this new laser weapon that can shoot down drones a mile away in 5 seconds after locating the target. However, if you're like me you'll want to know who built it and what else are they working on!

Well, now you can find out. Here's a 5 minute demo of our new REDACT Search product which tackles that very question. Enjoy!